<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<meta name="keywords" content="SecuLution online documentation, web online help, web help" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<link rel=stylesheet href="default.css" type="text/css" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

 <TITLE>SecuLution Dokumentation - Test setup in 30 minutes</TITLE>
<STYLE type="text/css">
.t0i { font-family: Tahoma, Verdana; font-size: 11px; color: #000000; text-decoration: none } 
  .i0tab { border: 0; border-collapse: collapse; }
  .i0ind { border: 0; Height: 16px }
</STYLE>
</HEAD>
<BODY bgcolor="white" style="margin: 0; border: none; padding: 0px">
<!-- !chm2web! -->
   
<TABLE bgcolor="white" width="100%" border="0" cellpadding="3">
 <TR>
  <TD align="left" width="100" nowrap>
   <a href="http://www.seculution.com" target="_top">Home</a> &nbsp;&nbsp;
  </TD>
  <TD align="center"  nowrap>
   <b><font size="3pt" color="black">SecuLution Dokumentation</font></b>
  </TD>
  <TD align="right" width="120" nowrap>
   <a href="principle.htm">back</a>
   <a href="best_practice_everyday.htm">next</a>
  </TD>
 </TR>
</TABLE>
<TABLE width="100%" border="1" cellpadding="5">
<TR valign="top">
  <TD width="200" bgcolor="white" nowrap><table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="welcome.htm" ><span      >Welcome</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="principle.htm" ><span      >SecuLution technique and terminology</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Quick start</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="quickstart_test_setup.htm" ><span class="chitemsel">Test setup in 30 minutes</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="best_practice_everyday.htm" ><span      >Best practice in everyday use</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="quickstart_full_setup.htm" ><span      >Full setup and deployment in 5 hours</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Installation of components</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="server_appliance_installation.htm" ><span      >Install Appliance</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="adminwizard_installation.htm" ><span      >AdminWizard installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="agent_installation.htm" ><span      >Agent installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="syslog_server_installation.htm" ><span       >Syslog server installation</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Initial configuration tasks</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="configure_basic_settings.htm" ><span       >Configure basic settings</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="configuration_agent.htm" ><span       >Agent configuration</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="schedule_tasks.htm" ><span       >Configure automated tasks</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Manage whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Initial whitelist generation</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="import_trusted_applications.htm" ><span       >Import trustworthy software</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="lernmode.htm" ><span       >Learn mode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="check_deployment.htm" ><span       >Check deployment and learning progress</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="audit.htm" ><span       >Audit</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Add entries to whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="dragndrop.htm" ><span       >Drag'n'drop</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="individual_lernmode.htm" ><span       >Individual lernmode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="import_from_directory.htm" ><span       >Import from directory</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="plu.htm" ><span       >PermanentLernUser</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="log_alarms.htm" ><span       >Log alarms</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Cleanup whitelist</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="manually_delete_orphaned.htm" ><span       >Manually delete unused entries</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="delete_from_pattern.htm" ><span       >Delete entries using a pattern</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="ruleset.htm" ><span       >Clean up classifications</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Actions</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="actions.htm" ><span       >Actions</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="45" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="valid_for.htm" ><span       >Referring rules to objects</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Offline mode</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="offline_mode.htm" ><span       >Offline mode</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Devices</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="usb_device_management.htm" ><span       >USB device management</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="usb_device_encryption.htm" ><span       >USB device encryption</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>RCM</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="setup_rcm.htm" ><span       >Agent deployment (RemoteClientManagement)</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>ArpWatch</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="arpwatch.htm" ><span       >ArpWatch</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/1.gif" alt=""></td><td align=left>
<b>Logs</b></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="30" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="logs.htm" ><span       >Logs</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="faq.htm" ><span       >FAQ</span></a></td>
</tr></table>

<table class="i0tab"><tr class="t0i">
  <td width="15" valign="top" align="right" nowrap>
<img class="i0ind" src="files/11.gif" alt=""></td><td align=left>
<a href="setup.ini.htm" ><span       >setup.ini</span></a></td>
</tr></table></TD>
  <TD bgcolor="white">
  
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<h1>Test setup in 30 minutes</h1>

<h2>Quick Start: Installing and configuring a test environment in
30 minutes</h2>

<hr>

<ul>
<li><a href="#startappliance">Start Appliance</a>
</li>

<li><a href="#installadminwizard">Install AdminWizard</a>
</li>

<li><a href="#importpattern">Import pattern files</a>
</li>

<li><a href="#baseconfiguration">Base configuration</a>
</li>

<li><a href="#setlearningmode">Set learn mode</a>
</li>

<li><a href="#installagent">Install Agent</a>
</li>

<li><a href="#turnlearningmodeoff">Turn learn mode off</a>
</li>

<li><a href="#testing">Testing</a>
</li>

<li><a href="#auditlearnedprograms">Audit learned programs</a>
</li>

<li><a href="#unknownapplication">Unknown applications</a>
</li>
</ul>

<hr>

<h4><a id="StartAppliance" name="StartAppliance"></a>Start
Appliance</h4>
Your Appliance will be delivered preconfigured for your network. If
you received a physical device, just plug it in and boot it up.
After 2 minutes you should be able to ping the Appliance.<br>
<br>
If you have received a virtual appliance (VM),<br>

<ul>
<li>copy the directory "SecuLution VM" from your CD to your ESX(i)
datastore,</li>

<li>choose "Add to inventory" on the .vmx file,</li>

<li>edit setting, remove "network adapter 1", add a new E1000
network adapter and select the appropriate network connection.</li>
</ul>
<br>

<hr>

<h4><a id="InstallAdminWizard" name=
"InstallAdminWizard"></a>Install AdminWizard</h4>

<p>Installing the AdminWizard is straightforward. Just run
setup.exe from the AdminWizard directory of your SecuLution install
CD.</p>

<p>The initial login password is "password".</p>

<p>When started for the first time, the AdminWizard will guide you
through the mandatory configuration tasks. It will also ask for the
path where the agent installation files are stored in your network.
We'll configure that later. For now just click cancel.</p>
<img title="AgentInstallPath" alt="AgentInstallPath" src=
"i/000646.png"><br>
Internet access is required for VM activation.<br>
<br>

<hr>

<h4><a id="ImportPattern" name="ImportPattern"></a>Import pattern
files</h4>

<p>The key to a good whitelist is importing pattern files from a
computer you trust. For our test setup we'll now assume that your
computer is running only trustworthy software. Because this might
not really be true, we'll recreate a new whitelist from scratch
when we set up SecuLution for a production environment later.</p>

<p>To import trusted applications, select menu item <strong>Extra
&gt; Generate rules from files</strong>:</p>
<img title="MenuImportFromFiles" alt="MenuImportFromFiles" src=
"i/000648.png"><br>
<br>
Double-click on "C:\" and click "List":<br>
<img title="ImportFromDir" alt="ImportFromDir" src=
"i/000649.png"><br>
<br>
Note the field "Classification". Enter text that describes what you
are importing here. Use a semicolon to separate levels. Click on
"Import". The AdminWizard will now create a hash (fingerprint) for
every file on this computer and import that hash into the whitelist
of trusted applications. Each hash will be marked with the given
classification.<br>
<br>
Done. You have generated an initial whitelist for testing
purposes.<br>
<br>

<hr>

<h4><a id="BaseConfiguration" name="BaseConfiguration"></a>Base
configuration</h4>
Configuration settings for the Appliance are set in the "Server
config" tab. Select the "Default response for unknown programs"
tab, enter a message that will be shown to users when they try to
use an unknown hash. We'll configure logging later.<br>
<img title="setDefaultDeny" alt="setDefaultDeny" src=
"i/000661.png"><br>
<br>
Agent configuration values are part of the whitelist. Choose "Rules
by program" (menu item <strong>View &gt; Rules &gt; by
Program</strong>, or the leftmost radio button under the Rules
tab), scroll upwards and double-click "Agent config":<br>
<img title="AgentConfig" alt="AgentConfig" src="i/000651.png"><br>
<br>
Go through each config option and configure the following settings.
(If need be, click into the empty line to create a new rule.)<br>

<ul>
<li>device-check -&gt; set to "check devices"</li>

<li>disable-password -&gt; set a disable-password&nbsp;</li>

<li>dll-check -&gt; set to "do not check dlls"</li>

<li>hideicon -&gt; set to "show Agent icon"</li>

<li>offline-mode -&gt; set to "don't ask password"</li>
</ul>
Finally, activate your changes and upload your whitelist to the
Appliance by pressing the up arrow:<br>
<img title="activate" alt="activate" src="i/000657.png"><br>
<br>
Important: Any change to the whitelist will remain in the
AdminWizard's memory only and will not be active on the Appliance
until you press the up arrow! Imagine the arrow as a command to
push the current whitelist to the Appliance.<br>
<br>

<hr>

<h4><a id="Setlearningmode" name="Setlearningmode"></a>Set learn
mode</h4>

<p>After you have imported patterns from trusted files, you might
expect that any and all software (their hashes) will be present in
the whitelist. But in most cases our whitelist is still not
complete. For example, hashes of programs that start from a remote
UNC path, devices, even the Agent itself (which we will install
next) have not yet been added to our whitelist, because so far
we've only imported hashes that were already on drive "C:\". To add
all the other hashes that are used on this computer to our
whitelist, we'll now configure a learn mode.</p>

<p>A learn mode is a configuration option that instructs the
Appliance to NOT deny hashes that are not known in the whitelist,
but to allow them instead and also to add them to the whitelist.
The idea is to "learn" these hashes. The "Classification" will be
added to each program processed in learn mode.</p>

<p>Turn on the learn mode by selecting the "Server config" tab,
then the "Learn mode" tab:</p>
<img title="learn mode" alt="learn mode" src="i/000658.png"><br>
Type "Delta" in "Classification", select "Duration" of "32 d[ays]"
and click "Learn mode on".<br>
<br>
During a learn mode the Appliance will only learn new and currently
unknown hashes if the programs or devices represented by the hash
are actually started or used on a machine where the Agent is
installed. So next we need to install the Agent.<br>
<br>

<hr>

<h4><a id="InstallAgent" name="InstallAgent"></a>Install Agent</h4>

<p>CAUTION: Following the next step will cause a forced reboot
without asking for confirmation. Close your applications and save
your work now!</p>

<p>Go to the directory "Client-Installer" on your SecuLution
install CD, right-click on "autosetup.exe" and choose "Run as
administrator". The Agent will be installed and your computer will
reboot.</p>

<p>Log in and wait until your computer starts the autostart
programs. Sometimes a computer keeps on starting different programs
after you logged in (e.g. NETLOGON, GPOs). After you think your
computer is up and ready for normal usage, you can start the
AdminWizard again.</p>

<p><br>
</p>

<hr>

<h4><a id="Turnlearningmodeoff" name="Turnlearningmodeoff"></a>Turn
learning mode off</h4>

<p>To turn off the learn mode click on the trashcan icon:</p>
<img title="turnofflm" alt="turnofflm" src="i/000660.png"><br>
<br>
Now your SecuLution system is protecting your computer. We are
ready for testing.<br>
<br>

<hr>

<h4><a id="Testing" name="Testing"></a>Testing</h4>

<p>You have successfully secured your computer. Let's start some
trustworthy programs to verify that the computer works normally.
You should be able to run any software that you can find on "C:\"
since we've imported all these files already. Does your computer
behave normally? Good! That's what we want!</p>

<p>Now let's try to start a program which is not (yet) in your
whitelist. You can do that by downloading software, inserting a CD
or starting programs that are stored on a server (a UNC path, which
we haven't imported before). Don't use a USB stick yet since USB
devices will be managed by SecuLution, too but your stick is not
yet an allowed device.</p>

<p>Any attempt to start a program that is not yet in your whitelist
is blocked, and you will see a popup with the DENY message you
configured earlier:</p>
<img title="denypopup" alt="denypopup" src="i/000662.png"><br>
<br>
That's it! Your computer is secure! Only software that is
classified as trustworthy can be started.<br>
<br>

<hr>

<h4><a id="Auditlearnedprograms" name=
"Auditlearnedprograms"></a>Audit learned programs</h4>

<p>Remember, we have turned on a learn mode to "learn" additional
software and devices that have not been imported during the "import
pattern files" part? Now it's time to look over the hashes
(programs and devices) that have been added during this learn mode
in order to either delete unwanted hashes from our whitelist or to
classify them correctly. Since you don't want to go through all the
thousands of hashes that might now be in your whitelist, we'd like
to see only those hashes that have been added during the learn
mode. To do so, select menu item "View/Rules/by classification" (or
just click the 4th radio-button in the "Rules" tab treeview):</p>
<img title="tbclassification" alt="tbclassification" src=
"i/000663.png"><br>
<br>
Double-click "Delta". You will find hashes here that have been
"learned" during the learn mode because they were not (yet)
included in the whitelist at the time they were checked by the
Agent. So they have been learned and classified with the
classification string "Delta" you entered when turning on the learn
mode. In the example above, these three programs are part of the
Agent, and the Agent had not been installed on this computer at the
time we were importing patterns from drive "C:\".<br>
Mark all the programs for which you want to change the
classification by holding the <em>Ctrl</em> key when clicking on
the program. Then right-click and choose "change classification".
Enter "SecuLution;Agent;Vx.y.z" where x,y and z are the version
number (see program properties).<br>
<br>
After that, you should have successfully classified these hashes
(press F5 to refresh view).<br>
<img title="classified" alt="classified" src="i/000664.png"><br>
<br>
Now do the same for your devices:<br>
<img title="classified" alt="classified" src="i/000665.png"><br>
<br>

<hr>

<h4><a id="Unknownapplication" name=
"Unknownapplication"></a>Unknown hashes</h4>
What if you're not sure about what you find during your audit of
learned hashes?<br>
Right-click the hash and search google:<br>
<img title="sgoogle" alt="sgoogle" src="i/000667.png"><br>
Most of the time you'll find interesting additional information
about the hash.<br>
<br>
You can also request additional information from our webservice
"<a href="audit.htm#ssdb">Managed Whitelist</a>" by clicking on
"Check program online". You'll be presented with information
regarding this hash, in this case:<br>
<img title="virusfound" alt="virusfound" src="i/000668.png"><br>
The information presented to you here is based on more than 50
different antivirus tools and a list of trusted applications which
we (the company SecuLution) manage and update on a daily basis.<br>
<br>
You definitely want to block the software in this example. To block
this software, just remove it from the list of trusted applications
by pressing the "delete entry" button:<br>
<img title="deleteentry" alt="deleteentry" src="i/000669.png"><br>
<br>
That's it.<br>
(However, it still might be a good idea to examine the computer on
which this known malware was initially executed. See remark rule
"first checked by user username on host hostname with IP address on
date-time".)<br>
  </TD>
</TR>
</TABLE>
</BODY>
</HTML>
